diff options
author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2019-01-24 11:39:28 +0100 |
---|---|---|
committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2019-01-27 20:13:57 +0000 |
commit | a389a9f4404c5dc400d23d4fe2a70557d161731a (patch) | |
tree | 06d25562c0e4eedc40245d212ed96dfd206ad3c6 /src/network | |
parent | de3716f0ba97778f59ab85822acc7f3e26c21399 (diff) |
SecureTransport: do not set max protocol version
This is similar to a change we approved recently in OpenSSL back-end.
Similar to OpenSSL, not setting the upper limit on protocols allowed
to negotiate/use, neatly ends up with the highest available, which
is ... TLS 1.2 at the moment, but will silently switch to 1.3 etc.
This was also recommended by Apple's engineer who closed a related
bug report with 'Won't do' - "do not limit the max, you'll always
have the real max supported'. Also, while at the moment we do
not allow QSsl::TlsV1_3 and QSsl::TlsV1_3OrLater, if we managed
to negotiate it - report it properly, not as 'Unknown'.
Task-number: QTBUG-67463
Change-Id: I3f46ea525f06edca03259123809f3b7b1191b1ee
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Diffstat (limited to 'src/network')
-rw-r--r-- | src/network/ssl/qsslsocket_mac.cpp | 16 |
1 files changed, 4 insertions, 12 deletions
diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp index 65d98758ac..7c5f4310f8 100644 --- a/src/network/ssl/qsslsocket_mac.cpp +++ b/src/network/ssl/qsslsocket_mac.cpp @@ -506,6 +506,8 @@ QSsl::SslProtocol QSslSocketBackendPrivate::sessionProtocol() const return QSsl::TlsV1_1; case kTLSProtocol12: return QSsl::TlsV1_2; + case kTLSProtocol13: + return QSsl::TlsV1_3; default: return QSsl::UnknownProtocol; } @@ -1158,43 +1160,31 @@ bool QSslSocketBackendPrivate::setSessionProtocol() #endif // kSSLProtocol3, since kSSLProtocol2 is disabled: err = SSLSetProtocolVersionMin(context, kSSLProtocol3); - if (err == errSecSuccess) - err = SSLSetProtocolVersionMax(context, kTLSProtocol12); } else if (configuration.protocol == QSsl::TlsV1SslV3) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "requesting : SSLv3 - TLSv1.2"; #endif err = SSLSetProtocolVersionMin(context, kSSLProtocol3); - if (err == errSecSuccess) - err = SSLSetProtocolVersionMax(context, kTLSProtocol12); } else if (configuration.protocol == QSsl::SecureProtocols) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "requesting : TLSv1 - TLSv1.2"; #endif err = SSLSetProtocolVersionMin(context, kTLSProtocol1); - if (err == errSecSuccess) - err = SSLSetProtocolVersionMax(context, kTLSProtocol12); } else if (configuration.protocol == QSsl::TlsV1_0OrLater) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "requesting : TLSv1 - TLSv1.2"; #endif err = SSLSetProtocolVersionMin(context, kTLSProtocol1); - if (err == errSecSuccess) - err = SSLSetProtocolVersionMax(context, kTLSProtocol12); } else if (configuration.protocol == QSsl::TlsV1_1OrLater) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "requesting : TLSv1.1 - TLSv1.2"; #endif err = SSLSetProtocolVersionMin(context, kTLSProtocol11); - if (err == errSecSuccess) - err = SSLSetProtocolVersionMax(context, kTLSProtocol12); } else if (configuration.protocol == QSsl::TlsV1_2OrLater) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "requesting : TLSv1.2"; #endif err = SSLSetProtocolVersionMin(context, kTLSProtocol12); - if (err == errSecSuccess) - err = SSLSetProtocolVersionMax(context, kTLSProtocol12); } else { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "no protocol version found in the configuration"; @@ -1229,6 +1219,8 @@ bool QSslSocketBackendPrivate::verifySessionProtocol() const protocolOk = (sessionProtocol() >= QSsl::TlsV1_1); else if (configuration.protocol == QSsl::TlsV1_2OrLater) protocolOk = (sessionProtocol() >= QSsl::TlsV1_2); + else if (configuration.protocol == QSsl::TlsV1_3OrLater) + protocolOk = (sessionProtocol() >= QSsl::TlsV1_3OrLater); else protocolOk = (sessionProtocol() == configuration.protocol); |